By Raj Samani, Chief Scientist, Rapid7
So RSAC was finished, and as ever the only thing on my mind was a good cup of tea and perhaps some of my favorite biscuits. Admittedly, this is very much reinforcing the stereotype of the country I live in, but imagine going into the supermarket only to find that my favorites were not available. Asking the assistant, I was informed because of an IT problem they had issues with deliveries and therefore I would not have the biscuits I craved.
Now to translate, the “IT problem” was related to a criminal group that had targeted and compromised a number of UK retailers. The perpetrator was the threat group known as DragonForce, a ransomware group active since late 2023 that operates under a white-label Ransomware as a Service (RaaS). Built using the LockBit Black builder, the group enables affiliates to conduct attacks with access to a fully automated infrastructure, data leak site, and tools for exfiltration, encryption, and communication. Initially ideologically motivated, DragonForce has shifted to financially driven extortion campaigns using dual extortion tactics, threatening to publish stolen data if victims don’t pay.
Herein lies the true issue with cybersecurity: articulating and demonstrating the impact of a given compromise both from a monetary and customer confidence perspective. Whilst my tea and biscuits example may be lighthearted, it is a simple example of the dependency we have on the availability of systems fueling our food supply chain. Without the accessibility of real-time threat sharing, the risk is that a single threat group has the potential to tear through multiple organizations and impact multiple victims.
We often cite threat intelligence as the solution to this problem; however, the reality is that this intelligence is merely a “feed” that results in security teams being inundated with data, making it difficult to extract the crucial information needed for timely action. This deluge of information leads to delays, and in cybersecurity we know that time is of the essence. The threat landscape is not static; it’s a dynamic environment that requires continuous, up-to-the-minute awareness. Defenders need a real-time understanding of what is happening to effectively protect their organizations.
The fundamental challenge lies in transforming vast quantities of raw intelligence into actionable insights. Simply collecting every available data feed results in a chaotic and unmanageable environment. Many high-profile breaches have occurred not because of a lack of alerts, but because critical signals were lost in the noise. The key is to move away from amassing indiscriminate data and instead focus on high-fidelity information that can be trusted and acted upon. That’s why organizations like the Cyber Threat Alliance are so important, because they can help cybersecurity providers achieve this goal.
Actionable intelligence is critical. Focusing on the key components of an attack against a given sector should allow the prioritization of resources to mitigate the realization of this risk impacting every other organization in the same sector (with the same tactics). Whilst this does not guarantee protection, it does at least make it harder for the threat actor.
Yes, I do acknowledge that the term intelligence has been used a little too much, but the key here is to recognize that intelligence is not a commodity. Knowing which indicators in an environment are confirmed as malicious and what the threat actors’ motivations are in an efficient manner demands quality over quantity. Armed with this knowledge, security teams can then take targeted, timely action to disrupt the kill chain a lot quicker and faster. By moving beyond manual tools and integrating curated, contextualized intelligence into operations, organizations can surface the alerts that truly matter to their business.